Taiab's Blog

Burp Suite for Beginners: My Web Pentest Workflow

Md. Taiab

Md. Taiab

2024-12-05 ยท 2 mins read


The first time I opened Burp Suite I was overwhelmed โ€” dozens of tabs, none obvious. Months later I use maybe five features for 90% of testing. Here's that minimal workflow.

> Only test applications you own or are explicitly authorized to test. Everything below assumes a lab or an in-scope engagement.

1. Proxy: See Everything

The foundation. Point your browser through Burp's proxy and every request flows through it. Browse the app normally first โ€” login, key features โ€” to populate the Target โ†’ Site map. You can't test what you haven't seen.

2. Target: Define Scope

Add the target domain to scope and filter everything else out. This keeps the noise down and โ€” importantly โ€” stops you from accidentally sending traffic to out-of-scope hosts.

3. Repeater: The Workhorse

Send any interesting request to Repeater and modify it by hand:

GET /api/orders/1043 HTTP/1.1
Host: target.test
Cookie: session=...

Change 1043 to 1044. Does it return someone else's order? That's an IDOR, and Repeater is how you confirm it one request at a time.

4. Intruder: Automate the Boring Part

When you need to try many values โ€” fuzzing an ID range, testing a parameter against a wordlist โ€” Intruder automates it. Watch the response length and status columns; an outlier usually means you found something.

5. Decoder: Make Sense of Encoding

Tokens and parameters are often Base64, URL-encoded, or hex. Decoder unwraps them so you can see what's actually inside โ€” sometimes a Base64 "token" is just a user ID you can change.

The Mindset Matters More Than the Tool

Burp doesn't find bugs โ€” it lets you find them by making requests editable. The skill is asking "what happens if I change this value to one I shouldn't be allowed to use?" Burp just makes asking that question fast.

Md. Taiab

Written by Md. Taiab

Follow

Md. Taiab is a Software QA Engineer and security enthusiast based in Dhaka, Bangladesh. He interned as a QA Engineer at Battery Low Interactive Ltd. and competes in CTFs and programming contests โ€” ranked Top 3% globally on TryHackMe and Champion of GUB Junior IDPC 2023.

Comments disabled โ€” add your CommentBox.io project ID to .env.local as NEXT_PUBLIC_COMMENTBOX_ID